Gmail Password Leak Update

We’ve taken extra steps to protect WordPress.com members.

September 12, 2014

Daryl L. L. Houston

This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.

We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account. Users who received the email were instructed to follow these steps:

Go to WordPress.com.

Click the “Login” button on the homepage.

Click on the link “Lost your password?”

Enter your WordPress.com username.

Click the “Get New Password” button.

In general, it’s very important that passwords be unique for each account. Using the same password on different web sites increases the risk of an account being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.

It’s also a good idea to enhance account security by enabling two-step authentication on services that support the feature. Two-step authentication can be set up on WordPress.com by following these steps:

Browse to WordPress.com.

Hover over the user avatar at the top right of the screen.

Click “Settings.”

Click “Security” from the submenu.

Follow the instructions provided there.

We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.

Email Newsletter

Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

It seems like you hear of someone being hacked on almost a daily basis. My email was hacked over a year ago. Real pain in back side. I bought a password program and use a different 18 to 20 character password on every site. Have not been hacked every since but not as quick and easy to go to different sites. I try to remember and change some of them that go to sensitive sites like my bank on a some what regular basis.
Frank

If you’re having trouble, head here to try to reset. If that doesn’t work, try the “Need More Help?” link at the bottom, provide the requested info to help us validate access to the account, and we’ll try to get you squared away.

Jim, be sure to check your spam folder to make sure the emails aren’t being sent there. If not, then head over here and click the “Need More Help?” link at the bottom. Provide the requested details that’ll help us validate your access to the account and we’ll do our best to help get you logged back in.

I see a time coming where there will be daily hacks and security breaches that will change the fabric of how we do business. Everyone is going to have to be knowledgeable on IT and security issues in order to stay abreast of the threats lurking on every webpage/site. It is ashame we have to deal with these issues, but glad your on top of it nevertheless. I hope those who had their emails breached know, some may never know until it is too late.

The email address you’ve used to comment was not on our list of accounts with matching passwords, so we didn’t send you an email. It’s still a good opportunity and reminder to double-check your password age and security. Even if you weren’t on this list, you never know when you’ll turn up on a list somewhere.

Thank you.
One thing I have found is, I backed up the password program with the URL user name and password in a word doc that is named a generic name. Some sites nail the password program when it logs in for me as being a robot. With most of the sites I go to being bookmarked, it is quick and easy to copy and paste from the word doc and it gives me a backup. I save the doc from time to time. I had a nasty virus awhile back and was thankful for a 3T external hard drive backup. Also grateful that I keep 2 copies of every authorization and key for each program I buy in a special folder. If you are not backed up, you might check with Amazon. The 3 Terabyte was less than $130 shipping and everything last year. Check with other places because Amazon does not always have the lowest price. Smaller external hard drives are cheaper.
If the folder for authorizing software is in your doc files, it will be automatically backed up on a regular basis.
I had to reinstall and reauthorize every program that I use. Pain was not as bad as it would of been with out organization and copies of what I needed. Bought my first computer in 1987 and been bit several times.
Frank

We really recommend the use of password manager software, which lets you remember one strong pass phrase that will encrypt and protect strong, random passwords for your various services. It’s really convenient and helps make your online accounts much more secure across the board.

Thanks Daryl for your kind suggestion. This will be very helpful to so many of us bloggers and internet users.Could you share please which password manager softwares you have found useful. Thanks soooo much for your insights!

Right, but since we know that people often use the same passwords across multiple accounts, we wanted to prevent in advance any account compromises in cases of such reuse. As noted in the post, there were over 100,000 accounts in the publicly available list for which the password could have allowed anyone reading the list to log into a WordPress.com account if it occurred to them to try (and this sort of thing certainly does occur to hackers and spammers). So sure, the list started as a bitcoin user account list, but it could have been used to hurt our users, and we prevented it.

Thank you for letting me know. I, however, opened a WordPress blog at one or other time but I did not carry on from there. I think I either cancelled the blog or I was trying to do so. So please let me know how I can get out of this predicament.

The list we checked was composed of Gmail accounts, and yours (at least the one you’re commenting with) is not a Gmail account, so it wasn’t on our list. It’s a good idea to change your password periodically and to follow best practices (linked in the post) for creating a strong password. Now would be as good a time as any to take care of that, whether or not you know your account to have been compromised.

Hi Daryl,
I appreciate your vigilance on our security but who would ever hack intellectual property?. I think that’s the reason I couldn’t get into my account anymore. I’ve been trying to do it several times with no avail. Please, let us do it in the end that we would be able to access our account. I did it several times to make a new post but failed.

Yikes, I’m sorry you’re having trouble getting back in. Head to our lost password page to try to get sorted. If that too is giving you trouble, click the “Need More Help?” link at the bottom, provide the requested info to verify your account, and we’ll try to help you regain access.

As for who would ever try to hack intellectual property, you’d be surprised how often it happens and how much work we do behind the scenes to try to prevent it. There are other nasty reasons to try to hijack blogs too. Security is important even for things for which you wouldn’t really expect it to matter at all. 🙂

Nope, we’re definitely not storing them in an accessible form, but since the list included passwords in plain text, we could encrypt them and compare them to the encrypted passwords in our system. It’s the same process that occurs when you submit a password yourself via a form. 🙂

Thank you for your speedy action! Some of us wouldn’t have known this in time to safeguard our accounts at WordPress.

One of the best things anyone can do in a situation like this is immediately change the password of the gmail address associated with one’s WordPress account, whether or not one’s email is included in the list of 5 million hacked gmail accounts, among other things besides of course.

Reblogged this on if all else fails…use a hammer and commented:
In case any of you missed this, now might be a good time to update your WordPress and Gmail passwords (and Facebook, and Twitter, and Instagram, and Amazon…I should make a list of all my online accounts, methinks.)

Reblogged this on impressions and commented:
In general, it’s very important that passwords be unique for each ACCOUNT. Using the same password on different web sites increases the risk of an ACCOUNT being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.

Having bought my first computer in 1987, I have had some disasters over the years. What I found out is, 3,4, 5 or more years go by without a real problem with your files and programs, you get really careless about backing up.
That is why I like an external hard drive backup. For less than $130 I bought an 3 Terabyte backup hard drive. When I purchase a new program I automatically put all the necessary information in a doc file and save it to a folder just for that purpose. When I change a password or create a new account I use a password program to generate a 18 to 20 character password. I then save the login information, the URL, user name and password in a document for backup and to use on some sites.
Because all the information to reinstall, reauthorize a program and all my login information are in doc files, the external hard drive automatically keeps them backed up.
Being human I am prone to get careless when enough time passes without any major problems.
I found the best way to get around that is have a system that does it automatically for you.
What causes the greatest problems for us is, month after month, maybe several years go by nothing serious happens, things go pretty good. We get complacent. Really careless and then BOOM we get bit.
Amazing what you learn from the pain inflicted by the problem.
Frank

Yes, we support 2-step authentication in many countries, and Israel is among them. Go ahead and give it a try! If you run into a problem with the SMS, you may have better luck with an authenticator app.

Reblogged this on Ordinary Leader and commented:
I cannot emphasize enough to all of you how critical it is to maintain strong passwords and unique password for every site. I appreciate WordPress two-step verification process with an Authenticator app. This is essential to protect you personally, your career, your intellectual assets as well as financial assets.

I’ve only ever used “1 Password” and so can’t speak to the quality of the others, sadly. It has served me well but is not free. Any of the ones on the list at the “strong passwords” link in the post would be worth looking into.

If you want to check if your Google account, which is the gateway to your Gmail, Plus, Drive, Hangout, YouTube accounts as well, has been compromised, then simply click this link and provide your Gmail ID. https://isleaked.com